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Abstract. The paper study counter-dependent pseudorandom number gen- 
erators based on m-variate (m > 1) ergodic mappings of the space of 2-adic 
integers Z2 . The sequence of internal states of these generators is defined by 
the recurrence law Xi_)_i = ff?(xi) mod 2", whereas their output sequence is 
Zi = (xi ) mod 2" ; here Xj , Xj are m-dimensional vectors over Z2 . It is 
shown how the results obtained for a univariate case could be extended to a 
multivariate case. 



1. Introduction 

In [1] we considered counter-dependent generators that produce recurrence se- 
quences {ui G Z/2"} of 71-bit words according to the foUowing law: 

Ui^Fi{wi)\ w,+iEE/,(wi) (mod 2"), (i = 0, 1, 2, . . .). 

In the mentioned paper we restricted ourselves mainly to the case of univariate 
mappings /; and Fi. Trivially, each univariate mapping Z/2™" — > Z/2"™ of the 
resdue ring modulo 2™" could be considered as a mapping (Z/2")'^™) (Z/2")'^™^ 
of a Cartesian power (Z/2")'^™) of the residue ring Z/2", i.e., as an m-variate 
mapping. It turnes out, however, that in some cases it is more effective to implement 
a univariate mapping in its multivariate form to achieve better performance. For 
instance, recently in [7] there were constructed examples of multivariate T-functions 
with a single cycle (i.e., of compatible ergodic functions, in our terminology, see [ !]), 
which are very fast (see theorem 6 of [7] and the text thereafter). 

Below we introduce some special way to derive multivariate compatible ergodic 
functions from univariate ones (the mentioned mappings of [7] originate this way); 
in fact, we merely represent univariate mappings in a multivariate form. This 
immediately implies that one could apply all the results of [1] to estimate important 
cryptographic characteristics of these multivariate mappings (e.g., linear and 2- 
adic spans, distribution of fc-tuples), as well as to construct multivariate output 
functions that improve periods of coordinate sequences (see [ I ] for definitions) . Also, 
exploiting this multivariate representation and using techniques of wreath products 
of [1] we describe how to lift an arbitrary m-variate permutation with a single cycle 
of n-bit words to a permutation with a single cycle of (n -I- i^)-bit words, and how 
to construct counter-dependent generators based on these multivariate mappings. 
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2. Multivariate ergodic mappings 

Consider a bijcction B(x^, . . . , x™^^) ~ X of the m*'^ Cartesian power (Z2)^'"^ of 
the space Z2 of 2-adic integers onto the space Z2 given by SkiX) = (^^(a;'') (mod 2), 
where r G {0, 1, . . . , to — 1} is the least non-negative residue of fc G {0, 1,2,.. .} 
modulo m, k ^ £-m + r, X (EZ2, . . . ,a;'"-i) G (Za)^"), (5^(u) is the j^^ bit 
of a canonical 2-adic representation of u G Z2. ^ Consider a compatible mapping 
-ff : Z2 — > Z2 and a conjugate mapping 

. . . , = . . . , x™-!), . . . , . . . , a;™-!)) 

of (Z2)(™) to (Z2)("); that is, . . . , = B-\H{B{x° , . . . ,x"'-'^))). 

Obviously, the conjugate mapping is compatible and ergodic whenever the 
mapping H is ergodic. For instance, let H{X) = 1 + X, then 

SjiHiX)) = Sj{X) + Y[ Ss{X) (mod 2) 

s=0 

(we assume the product over the empty set is 1); then the conjugate m-variate 
mapping is given by 

h''{x°, ^x'' ®(( /\xn a( /\ ((x'' + 1) © x^) 

^'H(a>-)'^(((a>')+OKa>'))) 

for fc = 0, 1, 2, . . . , 771 — 1. Here, we recall, A (or and) is a bitwise conjunction^, © 
(or xor) is a bitwise addition modulo 2 (we assume that a bitwise conjunction A 
over the empty set is —1, i.e., the string of all I's). One could construct various 
multivariate compatible ergodic mappings combining this representation with the 
ergodicity criterion. We recall the latter: 

2.1. Theorem, (see [1, Theorem 3.13]) A mapping T: Z2 ^ Z2 is compatible and 
measure preserving^ iff for each i — 0, 1, . . . the Boolean function = 5i{T) in 
Boolean variables Xo, • ■ • , Xj could be represented as Boolean polynomial of the form 

(XO, ■■■,X^)=X^+ 'pJiXO, ■ ■ ■ ,X»-l), 

where ipf is a Boolean polynomial. The mapping T is compatible and ergodic iff, 
additionaly, the Boolean function ipf is of odd weight, that is, takes value 1 exactly 
at the odd number of points {eq, . . . , £i-i), where £j G {0, 1} for j = 0, 1, . . . , z — 1. 
The latter takes place if and only if(pQ — I, and the degree of the Boolean polynomial 
(ff for i > 1 is exactly i, that is, (p[ contains a monomial Xo ' ' ■ Xi-i- 

For instance, theorem 2.1 implies that an arbitrary univariate compatible and 
ergodic mapping T gives rise to the TO-variate compatible and ergodic mapping 



Loosely speaking, we may think of an element of a Cartesian power as of a table of 

m infinite binary rows, to which we put into the correspondence an infinite binary string (that is, 
an element of Z2) obtained by reading succesively bits of each column, from top to bottom, 
^i.e., a bitwise multiplication modulo 2 

■^That is, T induces a permutation on Z/2" for all n = 1, 2, 3, . . . 
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T-^ = . . . , of the form 

- k~ 1 \ /m—1 



^ ^ s=0 ^ ^ r=0 ^ ^ 

where 

(2'^-l....,2''-l) 

(2.1.1) ^ ,5^(w'=(a;",...,x™-i)) = (mod 2) 

(xO,...,a;'"-i) = (0,...,0) 

for allr = 0,1,2,....'* With the use of these considerations we deduce from theorem 
2.1 the foUowing 

2.2. Proposition. Let fl : Za Z2 (s G {0, 1, . . . , m - 1}, j = 0, 1, . . . , m - 1) 

he {univariate) ergodic functions, let : Z2 — > Z2 (s G {0,1,..., j — 1} , j = 
1, 2, . . . , TO — 1) be (univariate) measure-preserving functions. Then the mapping 

iJ^(x", . . . , X™"*) = (/i°(cc", . . . , a;"-*), . . . , /i'"-\a;°, . . . , a;™"*)) 

o/(Z2)(™) onto (Za)^™) smc/i i/iat 

/i°(x°, . . . , = © A (/°(a;'-) © x^)^ ; 



- m— 2 \ /m — 1 

rm— 1/^0 ^m. — 1\ ^m— 1 



A 3r'(^^)) A A(/""'(^'')®^'')) 



is ergodic. That is, for all n = 1,2, .. . the mapping H induces modulo 2" a permu- 
tation with a single cycle; hence the length of this cycle is 2™". 

Proof. It sufhcies to demonstrate that the conjugate mapping : Z2 — > Z2 is com- 
patible and ergodic. Denote Xk = Sk{x^); we have to represent St{h''{x^, ■ . ■ , x™^^)) 
as a Boolean polynomial in Boolean variables Xk- For c G {0, 1, . . . , m — 1} let 

?n — 1 c — 1 

Now, since the functions gl and /| are compatible and, respectively, measure pre- 
serving/ergodic, in view of 2.1 one obtains the following representation of Sk{gl) 
and Sk{fi) as Boolean polynomials: 

Sk{9i{x-n)=^xl + vi{xo,---,xl-i); 
'5o(/i(^-^)) = x§ + i; 

Skif'si^n) =xl + Xo--- xUi + ^iiXo, • ■ • , Xl-i) (k > 0); 



■^such mappings u'' arc called even parameters in [ 1 ] 
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where deg V'fe(Xo' ■ ■ ■ ' Xk-i) < ^- Further, since 

c— 1 m — 1 

S,{G^^ AF^^)^l[ • n + Skixn) (mod 2), 

s=0 s=0 

the above equations imply that 

5o(G°AF") = l; 

5fe(G° A F") = • • • xU ■ ■ ■ xo'' ■ ■ ■ xT-i + -fl (fc > 0); 

where $^ (respectively, or $q) is a Boolean polynomial in Boolean variables 

c-l m-l m-l 

Xfc:---;Xfc 7 Xoi • ■ • I Xfe-1: ■ • ■ I Xo :---iXfc-l 

(respectively, in Xo, • ■ • , X°_i> ■ • ■ > Xo""\ ■ • ■ , xT-i or Xo, • ■ • , Xo~^), and deg < 
m/c + c. Finally, 4(/^'=(x^ . . . = Xfe + 4(G^. A F^^), and the result follows 

in view of 2.1. □ 

2.3. Note. Of course, the assertion of the proposition remains true for the mappings 
h'^ — h'^ (B u'^ , (s = 0, 1, . . . , m — 1), where u'^ is an arbitrary mapping that satisfies 
(2.1.1), since these mappings add summands of degree < mk + s to each Boolean 
polynomial Sk{h^{x^, ■ ■ ■ ,a;™~"'^)), see the proof of 2.2. 

With this note we can deduce some consequences of proposition 2.2. 

2.4. Corollary. [■ , Theorem 6 and Lemma 1] The m-variate mapping defined by 

h'ix^, . . . , x"'-^) ^x'® ((/i(a;° A • • -Ax"'-^)® (a;° A ■ • • A a;'""^)) A a;° A • • -Ax'-^), 

s = 0, 1, . . . , TO — 1, is compatible and ergodic whenever h is a univarite compatible 
and ergodic function. 

Proof. Just note that both 5k{/\!t=^Q{h{x^)®x^)) and Allo^ x^)®{I\TJo' 2;*)) 

are Boolean polynomials of the same degree mk + s. □ 

2.5. Corollary. Form > 1 under conditions of 2.2 the following m-variate mapping 

h\x\ . . . ^^' + {{ A 5*(^^)) A ( A (/*(^'') ® ^'■)))' 

t = 0, 1, . . . , TO — 1, is compatible and ergodic. 

Proof. Integer addition + adds carry from the {mk + c)'^ bit to {m{k + 1) + c)"^ 
bit of the coniugate mapping iJ : Z2 ^ Z2; the carry is a Boolean polynomial in 
variables 

AfciAfej---jAfe iAO'---jAfc-l7---7Ao 1 ■ ■ ■ 1 Ak-l ' 

hence, integer addition just adds a Boolean polynomial in km + c + 1 variables to 
the Boolean polynomial 5u+i{h'^{x^ ^ . . . ,x"'~^) in (fc + 1)to + c variables. So this 
extra summand is of degree at most km + c + 1 < (fc + 1)to + c, see the proof of 
proposition 2.2. □ 

2.6. Note. Again, the corollary remains true for the mapping ~ + u", (s ~ 
0, 1, . . . , TO — 1), where is an arbitrary mapping that satisfies (2.1.1). 
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We recall that according to [ ; , Proposition 3.10], a compatible univariate function 
g: Z2 ^ Z2 (resp., /: Z2 ^ Z2) preserves measure (resp., is ergodic) iff it could be 
represented as g(a::) = d+x+2-v{x) (respectively as /(x) = l+x+2-{v{x+l)—v{x))) 
for suitable d € Z2 and compatible v: Z2 — > Z2. In other words, one can assume v 
to be an arbitrary (e.g., key-dependent) composition of arithmetic operations (such 
as addition, multiplication, subtraction, etc.) and bitwise logical operations (such 
as XOR, AND, OR, ctc); sec [1] for details. Thus, to obtain a cycle of length, say, 2^^^ 
applying the above results, one could use 8-variate mappings and work with 32-bit 
words, which are standard for most contemporary computers. 

We note, however, that similarly to a univariate case, only senior bits of output 
sequence achieve maximum period length: To be more exact, if jt^ is the value of the 
j*^ variable at the i"' step, (a;°+i, . . . , x™^^) = H^{x°, a;-""^), then the period 
length of the bit sequence {Ss{xi) : i = 0, 1, 2, . . .} is 2™"+J+\ for s e {0, 1, . . .}, 
j G {0, 1, . . . , TO — 1}. This could be improved by the use of multivariate output 
functions in a manner of [1 , Proposition 4.13], namely: 

2.7. Proposition. Let andF^ be m-variate ergodic mappings that satisfy con- 
ditions of proposition 2.2, and let t:: Z/n Z/n be an arbitrary permutation of 
bits of n-bit word z G Z/2" such that 5o(7r(z)) = (5„_i(z) (e.g., tt could be a bit 
order reversing permutation, or a 1-bit cyclic shift towards senior bits) . Consider 
a recurrence sequence y = {y^ : i = 0, 1, 2 . . .} over (Z/2")^™^ defined by the laws 

x,+i = if^(x,) mod 2"; y, = {7r{x^-^),xl . . .,x^-^) mod 2", 

where x^ = (a;°, . . . , x™^^), = (y^", . . . , ?/"~^) £ (Z/2")('"). Then the output 
sequence y is purely periodic, its period length is exactly 2"™, each element of 
(Z/2")^™-' occurs at the period exactly once, and the period length of each coordinate 
sequence Skiy) = {4(y|) : i = 0, 1, 2, . . .} is exactly 2"". ^ 

Proof. Immediately follows by application of [I, Proposition 4.13] to (univariate) 
conjugate mappings H and F\ we just note that Proposition 4.13 of [1], as it easily 
follows from its proof, holds for arbitrary permutation tt that satisfies conditions of 
our proposition 2.7. □ 

2.8. Note. As it follows from the proof of [], Proposition 4.13], to provide maxi- 
mum period length of all coordinate sequences of output sequence it is sufficient 
only to apply output function in such a way, that the most significant bit of a 
state transition function substitutes for the least significant bit of argument of the 
output function. Thus, the proposition 2.7 remains true if one permutes variables 
a;°, . . . , a;™"^ of the function F^ in arbitrary order, or permutes bits in these vari- 
bles, or apply arbitrary bijections to these variables, etc. 

It turnes out that with the use of techniques of wreath products of [1] it is 
possible to "lift" an arbitrary permutation on (Z/2")'™) with a single cycle to 
(Z2)'™'-', i.e. to obtain "really multivariate" permutations with a single cycle (in a 
somewhat "univariate manner", of course). Recall the following theorem, which is 
a generalization of theorem 2.1: 



Recall that according to [i] the term "exactly" within this context means that the purely 
periodic binary sequence (5(j(y ) has no periods of lengths less than 2"™. 
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2.9. Theorem. ([1, 4.3 and 4.4; or 4.10]) Let T: M > 1, be an 

arbitrary permutation with a single cycle, and let the mappings Hz{-)'. Z2 Z2, 
(z G satisfy the following conditions: 

(1) 6i{Hz{x)) = 5i{x) + pi{z]x) (mod 2) (i = 0, 1, 2 . . .), where pi are Boolean 
functions in Boolean variables 5r{z), 5s{x) (r S {0,1,...,M — 1}, s £ 
{0, — 1}), and /3o(-2; 2;) ~ Pa{z) does not depend on x; 

(2) EtVVoW^l (mod 2); 

(3) EtV Er=o' ^) ^ 1 (mod 2), z = 1, 2, . . . 
Then the mapping 



W{x) = T{x mod 2'*' ) + 2'" • i/, 



2; mod 2*^ 



2^_ 



is transitive modulo 2^ (that is, induces a permutation with a single cycle on the 
residue ring modulo 2*=) for all k>M. 

From here we deduce the following 

2.10. Proposition. LetT: (Z/2")(™' ^ (Z/2")(™' be an arbitrary (not necessarily 
compatible) m-variate mapping with a single cycle, let : (Za)*™) ^ (Za)*™) be 
any m-variate compatible ergodic mapping mentioned above (see 2.2, 2.3, 2.4, 2.5, 
2.6). Then the m-variate mapping W^{x.) = T(x mod 2") + (i?^(x) A ((-2")("))) 
of (Za)^™-* onto (Za)^™'' induces a permutation with a single cycle modulo 2^ for 
all N >n. 

Recall that a 2-adic representation of —2" is an infinite binary string such that 
first n bits of it are 0, and the rest are 1. In other words, H^{x) A ((— 2")^™^) takes 
x= (a:0,...,x"-i) to (/iO(x)A(-2"),...,/i'"-i(x)A(-2")), thus sending to the 
first n low order bits, whereas x mod 2" = {x^ mod 2", . . . , mod 2") sends to 

all senior order bits, starting with the n^^ bit (we start enumerate bits with 0). 

Proof of proposition 2.10. The conjugate mapping W satisfies 2.9 for M — nm 
since all Boolean polynomials Sj{h^{'x.)) are of odd weight, see the proof of 2.2. □ 

Concluding the section we just note that it is clear now how to construct counter- 
dependent generators with the use of the above multivariate ergodic mappings. 
Take, for instance, M > 1 odd, and take a finite sequence^ 

{c, = (cj",...,cf-i): j = 0,l,...,M-l} 

of m-dimensional vectors over Z/2" such that the sequence of its first coordinates 
satisfy conditions of proposition 4.3 of [I]; that is, J^jJo^'^^ = (mod 2), and 
the sequence {c'j mod 2: j ~ 0,1,...} is purely periodic of period length 

exactly M. Then take arbitrary m-variate ergodic mappings and , j = 
0, 1, . . . , M — 1 described above and consider recurrence sequences defined by the 
laws 

Xi+i = (c, mod M ffi -fffmod M (xi)) mod 2" ; 

= (Ff_,^(7r(:rr'),xO,...,xr'))mod2", 
for i = 0,1,2,..., where tt satisfies conditions of 2.7. Then the sequence of in- 
ternal states {xi} is purely periodic of period length exactly M ■ 2"™, and each 



^which may be stored in memory, or may be generated on the fly while implementing the 
corresponding generator 
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m-dimensional vector over Z/2" occurs at the period exactly M times. The output 
sequence y = {y^} is also purely periodic of period length exactly M-2"™, and each 
m-dimensional vector over Z/2" occurs at the period exactly M times; moreover, 
the period length of each coordinate sequence 6k{y^) — {Skivt)' i = 0,1,2,...} 
is a multiple of 2"™, which is not less than 2"'" and does not exceed M ■ 2"™. 
This conclusion follows immediately by application of [ I , Propositions 4.6 and 4.13] 
to conjugate mappings Hj and Fj. The other counter-dependent generators (for 
M — 2^ or arbitrary M) based on [1, 4.3, 4.4, 4.6 and 4.10] could be constructed 
by the analogy. 

3. Skew shifts and wreath products: a discussion 

The aim of this section is to make more transparent the core mapping underlying 
the constructions introduced in [1], [2], [3], [4], [8], [9], [7], as well as [5] and even [fi]. 
This mapping is wreath product^ of permutations; wreath product of permutations 
is a special case of a skew product transformation^. We recall the most abstract 
definiton: 

3.1. Definition. Given two non-empty sets X, Y, a mapping h: X X, and a 
mapping H : X ^ , where Y^ ^ is a set of all mappings of Y into Y. Denote 
the action of H as {H{x)){y) = Hx{y) for x & X,y ^ Y . Then the skew product 
transformation H ih is a mapping of a direct product X x Y into itself such that 
{Hlh)ix,y) = ihix),H,iy)). 

It is obvious that if /i is a bijcction and all H^, x & X arc bijections, then H I h 
is a bijection. For instance, if * is a quasigroup operation ori Y , F : X Y 
is an arbitrary mapping and Hx{y) = y * Fix), then H I h is bijective whenever 
h is bijective. A classical example in ergodic theory is skew shift on torus, which 
takes {x,y) & (T)^^^ to {xSj,yBa{x)), where (T)^^) is a 2-dimensional torus (i.e., 
a Cartesian product of a real interval [0,1] onto itself); 7, Q!(x) £ [0,1], and ffl is 
addition modulo 1 of reals of [0, 1]. 

Another example of imporance to cryptography is an i'^ round permutation 
Ri{k) of a Feistel network: This permutation takes {x,y) S (Z/2")^^^ to (y © 
fi{k,x),x) (with k being a key). Obviously, Ri{k) is a composition of a skew shift 
(x, y) I— > (a;, y © fi{k, x)) and a permutation t(x, y) = (y, x), which merely changes 
positions of two concatented n-bit subwords in a 2n-bit word. By the way, we used 
a construction somewhat resembling this permutation Ri{k) in 2.7: In fact, from 
2.1 it is clear that a compatible mapping (or a T- function, in terminology of [8]) of 
Z/2^ into Z/2'^ is a composition of N skew product transformations of Z/2, and 
that a measure preserving mapping (or invertiblc T-function) is a skew shift on A^- 
dimensional discrete torus {'L/2)^^\ The skew products seems to become popular 
in cryptography: Boaz Tsaban noted that a construction of a counter-dependent 
generator of [11] is just an ergodic-thcoretic skew-product of a counter (or any 
automata) with the given automata. In particular, if the counter is replaced by any 
ergodic transformation, then the resulting cipher will be ergodic, [12]. All these 
observations lead to a suggestion that there are tight connections between ergodic 

'^this notion is more common for group theory 

^the latter notion is well known in dynamical systems and ergodic theory 
^i.e., a Cartesian power of Y 

^'^that is, for all a,b both equations y * a = b and a* y = b have unique solutions in y 
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theory and cryptography. In fact, in this pper we use the notions of ergodicity 
and measure preservation just because the corresponding mappings are ergodic or 
measure-preserving in exact sence of ergodic theory. 

Of course, the most intriguing is a question, which naturaUy arises in this con- 
nection, whether an ergodic theory could give something to prove (or to give strong 
evidence of) cryptographic security of a corresponding schemes. Might be, it is 
too early to put such a question now, yet note that one of one-way candidates, 
namely, DES with a fixed message, is a composition of skew shifts with a per- 
mutation T. Note that in a corresponding construction [10] DES is assumed to 
be a family of pseudorandom functions. In [1] we conjectured that a mapping 
F: Z/2" defined by k randomly and independently choosen Boolean poly- 

nomials (with polynomially restricted number of monomials) in n variables is a 
one-way function, and gave some evidence that among the generators we studied 
there may exist ones that are provably strong against a known plaintext attack. 
A stronger assumption that is a pseudorandom function^ ^ (how plausible this 
asumption is?) may lead to a proof that a corresponding generator is pseudoran- 
dom. For instance, forming of output sequence {yi} (see [1, Section 6] for notations) 
a sequence yo,yo(Byi, ■ ■ ■ , ym-2®ym-i, ■ ■ ■ with probability 1 — e one obtains that^^ 

yo = F{z),yo ®yi= F{z -t- 1), . . . ,ym-2 © 2/m-i = F{z + m - 1), . . . 

Yet under assumptions that are made, this sequence, as well as the output sequence 
must be pseudorandom. 

More "ergodic-theoretic common features" could be seen while analysing proofs 
of corresponding resits. The mappings defined by compositions of arithmetic and 
bitwise logical operations turnes out to be continuous on Z2, and moreover, rather 
close to uniformly differentiable mappings, see [3], [2], [1], [4]. To study certain 
important cryptographic properties of these mapping we approximate them (with 
respect to a 2-adic distance) by uniformly differentiable functions; we have to cal- 
culate derivatives of these functions to check whether a given mapping is a permu- 
tation, or whether it is equiprobablc. On the other hand, to study similar questions 
for other algebraic systems, e.g., discrete groups, we have also to study derivatives, 
namely. Fox derivatives of mappings of groups, see [6], [5] for details. Thus, we 
have to use "continuous" techniques to study "discrete" problems. We could con- 
tinue such observations. At our view, all this is more than a mere analogy between 
ergodic-theoretic and cryptographical constructions. 
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